I have seen presentations and examples of using the conmark and pktmark chains instead of the forward chain, etc. However, I cannot find any reference to these chains in the documentation or flow charts for RouterOS 6x.
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

In some examples, I see a rule to jump to the conmark or pktmark chain:
add action=jump chain=forward connection-mark=no-mark jump-target=conmarkadd action=jump chain=forward connection-mark=!no-mark jump-target=pktmark
(QoS in RouterOS v6. by Alfredo Giordano)

I have been using the pktmark and conmark chains in some mangle rules. They seem to work some of the time but not all of the time.
However, I do not have rules to jump to these chains.

Are the pktmark and conmark chains built in to the packet flow?
If so, where do they fit within the flow?
Do I need to add rules to jump to these chains?

Thanks much!

There are no such built-in chains. And if you create custom chains but nothing jumps to them, they don't do anything.

After reading your comment I checked and did find the jump to conmark and pktmark chains from the prerouting chain.
Thanks for the prompt reply!

A related question:
Aside from extra CPU cycles, is there a downside to just checking packets and not bothering with first checking connections - e.g. setting packet marks directly based on ports, addresses, etc.? In my environment the CPU load is low and this approach is simpler and easier to manage and maintain. I realize it is not as efficient, however, it cuts the rule count in half and simplifies debugging.

One big downside is that you often want to do things on both directions of a connection, and you would need two matches with the addresses/ports reversed.
Also, some matches are only possible at the beginning of a connection, and you then want to affect the whole connection.
The connection mark stays on the connection all the time and can be used for the reverse traffic as well.

Thanks for the advice!

I am trying to prioritize teleconferencing traffic by port#. The traffic is captured, however, both upload and download traffic are being shown as download traffic in the corresponding simple queue. I tested this by turning the camera on and off. That upload traffic is showing up in the download side of the simple queue that looks at the packet mark. The upload side shows no activity.

In contrast, I have a mangle rule for icmp traffic that shows upload and download traffic separately. The rules are almost identical except for the port filter.

I am running v6.44.4
I tried using both "any port" and "dst port" in the connection rule - same result.

What have I done incorrectly to queue upload and download teleconf traffic?


Mangle rules:
0 ;;; stable ping conn mark
chain=prerouting action=mark-connection new-connection-mark=stable-ping passthrough=yes protocol=icmp connection-mark=no-mark

1 ;;; stable ping packet mark
chain=prerouting action=mark-packet new-packet-mark=ping-packet passthrough=no protocol=icmp connection-mark=stable-ping

15 chain=prerouting action=jump jump-target=conmark connection-mark=no-mark

16 chain=prerouting action=jump jump-target=pktmark connection-mark=!no-mark

17 ;;; teleconf_udp
chain=conmark action=mark-connection new-connection-mark=teleconf-con passthrough=yes protocol=udp port=19305-19309,8801 log=no
log-prefix=""

18 ;;; teleconf_tcp
chain=conmark action=mark-connection new-connection-mark=teleconf-con passthrough=yes protocol=tcp port=19305-19309,8801 log=no
log-prefix=""

50 ;;; teleconf
chain=pktmark action=mark-packet new-packet-mark=teleconf-pkt passthrough=no connection-mark=teleconf-con log=no log-prefix=""

Simple queues:
1 name="stable-ping" parent=none packet-marks=ping-packet priority=8/8
queue=default-small/default-small limit-at=0/0
max-limit=20301k/20100k burst-limit=20501k/20300k burst-threshold=20401k/20200k burst-time=4s/4s bucket-size=0.1/0.1
time=0s-18h,sun,mon,tue,wed,thu,fri,sat

15 name="teleconf" parent=none packet-marks=teleconf-pkt priority=8/8
queue=default-small/default-small limit-at=0/0
max-limit=20301k/20100k burst-limit=20501k/20300k burst-threshold=20401k/20200k burst-time=4s/4s bucket-size=0.1/0.1
time=0s-18h,sun,mon,tue,wed,thu,fri,sat

Simple queues are mainly for giving each IP a fair share in the total traffic. You separate traffic by IP address and queues are dynamically created for each address, and traffic shaped to conform to minimum and maximum rates for each client.

That is not what you want when you are trying to prioritize certain traffic above other, independently of the client.
Use "queue tree" for that!

Thanks petchi,

I am using simple queues by household (subnet) to manage traffic and this is working well overall. However, school at home needs more bandwidth at various times. And within a household I want the school work to get bandwidth independent of other traffic, even if total bandwidth for the household exceeds the standard level. .

My understanding is that simple queues take priority over queue trees, so to use queue trees would require converting all of the simple queues as well. Queue trees are more complex to set up and manage, so I'd prefer to use simple queues.

The simple queue for classroom video seems to be working ok. It is above the other queues, so it gets bandwidth in addition to the main household queue. If the network saturates, I can lower the household queue bandwidth during class times.

I am modeling this approach based on "how to set a simple queue based on dst. port?" Though in my case I want to provide additional bandwidth for classwork.
viewtopic.php?t=38786

fewi's response indicates that connection marks will handle bidirectional traffic. The queue is seeing traffic in both directions, but it is all showing up under the download side. Is something wrong in my rules or is there no way to shape and see the separated download and upload streams for this teleconf simple queue?